ScalifyScalify Back

Privacy Policy

Last updated: April 14, 2026

1. Data Controller

Scalify is published and operated by the Scalify team ("we", "us"). For any question regarding your personal data, contact us at admin@scalify.tools.

2. Data Collected

  • Account: email address, password (stored as a bcrypt hash).
  • Connected stores: name, Shopify domain, access tokens (AES-256-GCM encrypted).
  • Operational data: synced orders, webhook logs (retained 90 days max).
  • Session: NextAuth session cookie (signed JWT, 30 days).
  • Technical errors: stack traces sent to Sentry for diagnostics (no application-level personal data).

3. Purposes

  • Provide the payment-rotation service and analytics tracking.
  • Ensure security and prevent abuse (rate limiting, audit logs).
  • Handle monthly billing.

4. Legal Basis

Processing is based on the performance of the contract between you and Scalify (GDPR art. 6-1-b) and on our legitimate interest in securing the service (GDPR art. 6-1-f).

5. Retention

  • Account: as long as the account is active, then 30 days after deletion.
  • Webhook logs: 90 days (automatic MongoDB TTL index).
  • Invoices: 10 years (accounting obligation).

6. Recipients

Your data is never resold. The only third parties with access are:

  • Our VPS host (infrastructure).
  • Sentry (error monitoring, stored in the EU).
  • The platforms you connect yourself (Shopify, Meta, TikTok, Google).

7. Your Rights

Under GDPR, you have the following rights:

  • Access your data (from the "Settings" section of your account).
  • Rectify your data from your profile.
  • Erase your account and all associated data, from the settings.
  • Portability: contact us to receive a JSON export.
  • Object and restrict: admin@scalify.tools.
  • File a complaint with the CNIL (cnil.fr) or your local data-protection authority.

8. Cookies

We only use a technical session cookie (NextAuth) required for authentication. No tracking, behavioural-analytics, or advertising cookies are set.

9. Security

Shopify credentials and 2FA secrets are encrypted at rest (AES-256-GCM). Connections are protected by TLS 1.2+. Administrator access is protected by mandatory two-factor authentication (TOTP).

10. Changes

This policy may be updated. The date at the top of the page indicates the current version.